If you want to handle verification on your own server, then all you need is their purchase code. You should use your own personal token to verify those purchase codes (see my guide: How to verify a purchase code using the Envato API)
If you’re building the verification purely into the item (without communicating with your own server), then you would ask the user for a personal token. You don’t need their purchase code or email. You can get both of those from the API with the personal token. Do not send the personal tokens to your server/API. They should remain local, because they are like passwords into the user’s account.